Registry editing problem
From: Paul Webster (Paul.Webster.1nredp_at_pcbanter.net)
Date: 04/19/05
- Next message: Star Fleet Admiral Q: "Re: Account start order"
- Previous message: Galen: "Re: administrator accounts"
- Next in thread: Malke: "Re: Registry editing problem"
- Reply: Malke: "Re: Registry editing problem"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 19 Apr 2005 18:03:57 +0000
Having recently been cobbled by the rather finely named ‘Lo thuong’
adware pest, I have had some difficulty with one element of the removal
process, anyone have any tips.
First of I killed these running processes in task manager
systemroot+\isrvs\desktop.exe
systemroot+\isrvs\edmond.exe
systemroot+\isrvs\ffisearch.exe
The next stage is to delete the following registry entries,
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\desktop
search
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\ffis
Now this is where the problem lies, as they will not delete, all I get
is ‘cannot delete, disk may be full or item may being used by another
applications’ (might not be an absolute verbatim transcript as I’m in a
different building to the affected machine at the moment).
I’m logged on as administrator and have checked everything else that I
can think of, ther is no indication at all that either item is running
or active in any way. The rest of the removal process goes as it should
but of course fails as this step has not been completed!
The next stage was to unregistered these using regsvr32
systemroot+\isrvs\mfiltis.dll
systemroot+\isrvs\msdbhk.dll
systemroot+\isrvs\sysupd.dll
easy enough!
Then find and remove these
HKEY_CLASSES_ROOT\clsid\{5b4ab8e2-6dc5-477a-b637-bf3c1a2e5993}
HKEY_CLASSES_ROOT\clsid\{950238fb-c706-4791-8674-4d429f85897e}
HKEY_CLASSES_ROOT\mfiltis
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\ext\clsid\{5b4ab8e2-6dc5-477a-b637-bf3c1a2e5993}
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\delprot
And any other systemroot\isrvs directories as required
Again, simple enough, but can I hell as like get rid of those two run
entries in HKEY_LOCAL_MACHINE…….!!!
I’d be really grateful for any advice.
-- Paul Webster
- Next message: Star Fleet Admiral Q: "Re: Account start order"
- Previous message: Galen: "Re: administrator accounts"
- Next in thread: Malke: "Re: Registry editing problem"
- Reply: Malke: "Re: Registry editing problem"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
